Wednesday, June 4, 2014

Daily Blog #346: A quick note on Shellbag analysis in Windows 7/8

Hello Reader,
        If you are like me you love shellbags and use them on a regular basis to try to get some insight on what exists on external drives. One of the problems we run into though is that Shellbags stores full paths but not volume names or serial numbers so we cannot see from the entry what external device a recorded path was contained on from just that entry. We can do timeline analysis of devices plugged in, files accessed, drive letters assigned and the like to narrow down which device was plugged in but you are still sometimes left with multiple devices in play. I am going to go more in depth with this in a later series but I wanted to pass on a few tips.

NTFS v FAT entries

One of the easiest ways to tell the difference between drives requires that your sbag parser shows you the file record number and sequence number of the path it is pointing to. Sbag from TZWorks does this. If your tool is reporting this is becomes very easy to separate out the NTFS vs the FAT disks accessed as FAT does not record sequence numbers (its not part of its file system structure) so the sequence values will be null. 

NTFS v NTFS entries

A common thing we see is the same folder being copied to multiple drives, when this happens you can get seemingly duplicate entries in the shellbags. Look closer! The file record and sequence number will be unique between them allowing you to determine that they where contained on different drives.

Identifying the directory accessed

One of the questions I often get asked by clients is, did the drive they return contain the data they copied on to these external drives. Using the same file record and sequence number (or lack there of) we talked about above we can now match those accesses to each drive. I would not expect two drives to have the same file record and sequence number as well as creation times so you can also use the the creation times of the directories as a second factor in verifying that this is in fact the drive they accessed.